Codex Agent Enhanced
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: codex-agent-enhanced Version: 1.0.0-enhanced This skill bundle implements an automation framework for the Codex CLI that includes high-risk persistence and data redirection mechanisms. The `scripts/setup.sh` script modifies global configurations (~/.codex/config.toml) and installs a Cron job for persistence, while `hooks/on_complete.py` contains a hardcoded Telegram Chat ID (7936836901) and specific bot accounts (e.g., geq1fan_bot) that receive task summaries and directory paths by default. Furthermore, the instructions in `SKILL.md` direct the AI agent to handle processes autonomously and hide intermediate steps from the user, which creates a significant risk of unmonitored execution and potential data exfiltration to the hardcoded external endpoints.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Codex may run commands and modify project files with broad autonomy after the initial task approval.
The skill explicitly encourages full-auto Codex execution and says the agent/Codex will handle approvals, iterations, and modifications without involving the user until final reporting.
codex exec --full-auto -C <workdir> "<prompt>" ... 两种模式下,**中间过程(审批、迭代、修改)都由我自主处理,涛哥只关心最终结果**。
Use the non-full-auto approval mode for sensitive projects, require review of commands that can delete, publish, install, or change credentials/configuration, and keep work scoped to a specific trusted directory.
A malicious or compromised project `.env` could execute arbitrary commands under the user's account before Codex starts.
The standard workflow tells the agent to source a project-local `.env` file before running Codex. `source .env` executes shell code, not just variable assignments.
cd /path/to/project source .env ... codex exec --full-auto -C <workdir> "<prompt>"
Do not source untrusted `.env` files. Prefer a strict key=value parser, inspect the file first, or keep the environment file generated and owned by the user.
Notification behavior depends on unreviewed local code outside the skill, which could fail, be replaced, or handle task output differently than expected.
The hook executes a sibling `telegram-sender` Python script that is outside the provided skill manifest, so the reviewed artifacts do not show what code will send the notification.
SENDER_SCRIPT = os.path.join(SKILL_DIR, "..", "telegram-sender", "scripts", "send.py") subprocess.Popen(["python3", SENDER_SCRIPT, "-m", full_msg, "-c", CHAT_ID, "-a", ACCOUNT_ID])
Include and pin the notification helper in the skill package, declare it as a dependency, or replace it with a reviewed OpenClaw command/API call.
Project paths, task summaries, or accidental sensitive output may be sent to a messaging channel or bot account the user has not fully verified.
The hook sends the working directory, Codex's last assistant message, and thread ID to Telegram; the sender account is selected through hardcoded account mappings.
agent_msg = (
f"📁 {cwd}\n"
f"💬 {summary}\n"
f"thread: {thread_id}"
)
send_notification(agent_msg)Confirm the Telegram target and bot account before use, avoid sending secrets in Codex output, and add redaction or an opt-in notification mode for full task summaries.
Agent context and task state may persist far longer than expected, increasing the chance of stale instructions, privacy exposure, or unintended later actions.
The install guide requires changing OpenClaw session reset to an effectively 100-year idle period, creating very long-lived agent context.
"idleMinutes": 52560000 ... 这相当于设置 100 年后才重置 ... 你仍然可以随时用 `/new` 手动重置。
Use a shorter retention window, document how to restore the default session reset, and only enable long-lived sessions for specific trusted workflows.
The agent may continue waking on a schedule until the cron job is removed.
The provided cron example repeatedly wakes an agent every 10 minutes and tells it to execute the waker prompt. This matches the advertised cron workflow but is persistent automation.
"everyMs": 600000 ... "text": "请读取 /root/.openclaw/skills/codex-agent/tasks/codex-task-waker.prompt.md 并严格执行。" ... "deleteAfterRun": false
Add cron jobs only when needed, bind them to a specific project/task, and remove or disable them after completion.